Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15504
The vulnerability is patched in v0.17.2, however NVD is currently tracking
the CVE without any version info (or more like with out any CPE info)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-42969
Upstream could not reproduce the issue.
The vulnerability has currently the "disputed" flag in the NVD database,
and Github has revoked their related advisory[1].
Ignore this CVE due to this.
[1]: https://github.com/advisories/GHSA-w596-4wvx-j9j6
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Contains fix for CVE-2026-21860
Changelog:
- safe_join on Windows does not allow more special device names,
regardless of extension or surrounding spaces.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
This fixes the previous attempt, which caused incorrect content lengths.
- Fix AttributeError when initializing DebuggedApplication with pin_security=False.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Python watchdog has removed all dependencies except optional `pyyaml`
dependency for `watchmedo` utility, like follows [1]:
* pathtools dependency was removed in 1.0.0
* python-argh dependency removed in 2.1.6
* requests was never a dependency
* pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary
[1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst
Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upgrade to release 26.1.0:
Introduces the 2026 stable style, stabilizing the following changes:
- always_one_newline_after_import: Always force one blank line after
import statements, except when the line after the import is a
comment or an import statement
- fix_fmt_skip_in_one_liners: Fix # fmt: skip behavior on one-liner
declarations, such as def foo(): return "mock" # fmt: skip, where
previously the declaration would have been incorrectly collapsed
- fix_module_docstring_detection: Fix module docstrings being
treated as normal strings if preceded by comments
- fix_type_expansion_split: Fix type expansions split in generic
functions
- multiline_string_handling: Make expressions involving multiline
strings more compact
- normalize_cr_newlines: Add \r style newlines to the potential
newlines to normalize file newlines both from and to
- remove_parens_around_except_types: Remove parentheses around
multiple exception types in except and except* without as
- remove_parens_from_assignment_lhs: Remove unnecessary parentheses
from the left-hand side of assignments while preserving magic
trailing commas and intentional multiline formatting
- standardize_type_comments: Format type comments which have zero
or more spaces between # and type: or between type: and value to
# type: (value)
The following change was not in any previous stable release:
- Regenerated the _width_table.py and added tests for the Khmer
language
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add pytokens release 0.4.0:
- Various packaging and dev improvements
- Just avoid using uv
- Move setup.cfg to pyproject.toml
- Use mypyc for compilation
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- fix build issue on some platforms
- guard compile pragma use
- remove unneeded variable
- fix memory leak when a custom type in rules does not match
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1. Add pkgconfig to solve following configure error:
../sources/adcli-0.9.3.1/configure: line 15340: syntax error near unexpected token `LIBSELINUX,'
../sources/adcli-0.9.3.1/configure: line 15340: `PKG_CHECK_MODULES(LIBSELINUX, libselinux, found_libselinux=yes, found_libselinux=no)'
2. Add PACKAGECONFIG[selinux] for new selinux support in 0.9.3.1.
3. Add 0001-configure.ac-Fix-selinux-error-for-cross_compiling.patch to fix SELINUX_MAKEFILE file check in 0.9.3.1.
4. Add --disable-offline-join-support to solve following configure error
configure: error: Couldn't build offline join support, Samba version too old or libnatapi devel package is missing
Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove patch that downgraded gbm_bo_create_with_modifiers.
Meanwhile gbm_bo_create_with_modifiers2 should be save to use?
Fix to work with manpages class
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
New, non-LTS version.
Release notes: https://github.com/django/django/blob/main/docs/releases/6.0.txt
New features in a nutshell:
- Content Security Policy support
- Template Partials
- Background Tasks
- Adoption of Python's modern email API
Ptest summary:
Ran 18643 tests in 164.287s
OK (skipped=1404, expected failures=5)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Django 4.2.x recipe has been deleted, the dependencies that were specific
to version 5.x can be moved to the common .inc file.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Execute the standard, non-selenium tests. The execution is
on the slower side: on my idle machine, KVM enabled it takes
a bit more than 2.5 minutes to execute it (executing tests with
4 threads parallel, 1/core, the default configuration). If the machine is
under load, it easily grows to over 10 minutes.
Added two backported patches for Django 5.2 to fix some tests that
would otherwise fail:
0001-Fix-test_strip_tags-test.patch: tag stripping tests failed due to
changed Python behavior
0001-fix-test_msgfmt_error_including_non_ascii-test.patch: tests were
updated to work with msgfmt 0.25
Most of the skipped tests require some specific database backend
(Postgres, MySQL, Oracle...) or are Selenium tests.
The output is very long (the suite contains way over 15k tests),
so I omit the example output here.
The current summary (for v5.2.9):
Ran 18121 tests in 140.891s
OK (skipped=1394, expected failures=5)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Though the version is not EOL yet, it doesn't support the Python
that comes with oe-core. The last version is supports is 3.12[1],
however oe-core comes with Python 3.13.
[1]: https://docs.djangoproject.com/en/6.0/faq/install/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
systemd_user_unitdir is the right variable to use
Fixes
ERROR: xdg-user-dirs-0.19-r0 do_package: QA Issue: xdg-user-dirs: Files/directories were installed but not shipped in any package:
/usr/lib
/usr/lib/systemd
/usr/lib/systemd/user
/usr/lib/systemd/user/xdg-user-dirs.service
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
xdg-user-dirs: 4 installed and not shipped files. [installed-vs-shipped]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
PACKAGECONFIG for wayland,nm have been removed upstream
PACKAGECONFIG for x11,xwayland have been added upstream
Add a patch to fix reproducibility in gnome-settings-daemon-src
============
Version 49.1
============
- Translation updates
Power:
- Avoid xext dependency
Xsettings:
- Build only if X11 or Xwayland are enabled
============
Version 49.0
============
- Translation updates
Power:
- Avoid polling light sensor if ambient light setting is disabled
=============
Version 49.rc
=============
- Translation updates
- Update to GNOME Session changes
Power:
- Fix check for shell-managed brightness
- Refactor light sensor enablement
A11y-settings:
- Manage Orca lifetime
===============
Version 49.beta
===============
- Translation updates
- Drop dependency on GTK4
- Add xwayland/x11 build options
Power:
- Do not treat all notifications as critical
- Let backlight auto-dimming in control of GNOME Shell
Housekeeping:
- Add new donation reminder notification
==================
Version 49.alpha.1
==================
Keyboard:
- Drop keyboard bell GSettings schema leftovers
================
Version 49.alpha
================
- Translation updates
- Update to GTK4
Power:
- Use new Mutter backlight D-Bus interface
Wacom:
- Drop support to update per-button OLED screens in Wacom
Intuos 4 model with descriptive actions. This tablet model
will still be functional, but the tiny screens besides the
pad buttons will remain blank.
============
Version 48.1
============
- Translation updates
- Cleanups and fixes
Power:
- Ensure the backlight interface signal gets emitted on startup
- Avoid using uninitialized value when restoring brightness
Sharing:
- Fixes to shutdown of sharing services
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- update dependencies
- inherit manpages mime
- build x11 depending on DISTRO_FEATURES
- rename packageconfig man->manpages to work with manpages class
============
Version 49.0
============
- Translation updates
- Fixed build with musl libc
- Fixed some memory corruption bugs that led to gnome-session-init-worker
crashing on logout
- Fixed a memory leak in gnome-session-init-worker
- Allowed Qt apps to use the Wayland text-input protocol, instead of forcing
them to use the direct ibus integration plugin
=============
Version 49.rc
=============
- Disabled the org.freedesktop.ScreenSaver proxy service on the login screen
- Separated out the systemd-specific code from the gnome-session leader process
into a dedicated executable. This makes it easier to integrate distributions
that use alternative init systems with gnome-session (though note that this
is still a usecase we don't officially support upstream)
- Translation updates
===============
Version 49.beta
===============
- gnome-session is no longer started via a shell script, and instead all of
the necessary setup is done in C.
- gnome-session's builtin service manager has been completely removed. Service
management will now be handled entirely by the operating system's native
service manager (i.e. systemd). See the following blog post for more information:
https://blogs.gnome.org/adrianvovk/2025/06/10/gnome-systemd-dependencies
- The "fail whale" dialog has been removed
- Various unused APIs and interfaces were removed, including:
- The org.gnome.SessionManager.Client and o.g.SM.App D-Bus interfaces
- Various D-Bus APIs related to the service manager
- Various .desktop and .session file keys that were used only by the
builtin service manager
- Fallback sessions, since there's no way to fall back anymore
- The code was significantly refactored
- gnome-session now provides a gnome-session-basic-services.target, that sessions
like the GDM greeter and gnome-initial-setup can use to avoid listing all of
the basic GNOME session services (like all the gnome-settings-daemon plugins)
- The --autostart command line option was removed, and instead kiosk sessions
should set Kiosk=true in their session definition file.
- Updated GNOME's mimetype defaults to drop Evince (which was replaced with Papers)
- Translation updates
==================
Version 49.alpha.1
==================
Fix POTFILES to stop listing deleted files
Stop requiring the gnome-settings-daemon Wacom plugin, which doesn't exist anymore
Ensure that we start localsearch when starting a GNOME session via systemd
Translation updates
==================
Version 49.alpha.0
==================
Removed XSMP
Removed session restore functionality
X11 sessions are disabled by default
Added a default mimeapps list for GNOME's core apps
gsd-xsettings now starts on demand in Wayland
Dropped gnome-dummy session
Allow Inhibit() with no app ID
Unset all LC_* variables that are bound to REGION
Ported fail whale to gtk4
Dropped session selector GUI
Dropped the hardware acceleration check
gnome-session-inhibit: Propagate parent death
gnome-session-inhibit: Fixup terminal handling
Contributors:
Benjamin Berg, Alessandro Bono, Matthias Clasen, gnome-build-meta-bot,
Neal Gompa, Sophie Herold, Javier Jardón, Chris Mayo, Simon McVittie,
Jordan Petridis, Ray Strode, Joan Torres, Adrian Vovk, Chris Williams
Translators:
Марко Костић [sr], Aefgh Threenine [th], A S Alam [pa], Baxrom Raxmatov [uz],
Ekaterine Papava [ka], Martin [sl], Quentin PAGÈS [oc], Vasil Pupkin [be]
============
Version 48.0
============
The gnome-session script no longer re-runs itself as a subprocess
GNOME OS CI was ported to use a CI template
Integrated new CI-based release process
Fix bugs caused by systemd v257's inhibitor behavior changes
Make `gnome-session --version` print to stdout rather than syslog
Translation updates
README updates
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- build x11 support depending on DISTRO_FEATURES
- add runtime path for nologin to fix reproducibility
- remove backport patch
- use gtk4
49.2
==========
* Translation updates
* Fixed bug that prevented X11 fallback whenever autologin fails
* Introduced CI tests built around GNOME OS
49.1
==========
* Translation updates
* Hotfixed a bug that leaves gnome-shell in a locked up state
* Fixed implementation of userdb, so we don't list our users when asked about
UID 0 (root)
* Switched safety check that avoids accidentally deleting / and /home from an
assertion to an error, so the check always runs even in production builds
* Fixed bug where gnome-initial-setup's configuration (i.e. input methods)
failed to migrate to the final user session
* Fixed bug where GDM assumed that Wayland is unavailable if Xwayland wasn't
installed on the system
49.0.1
==========
* Follow-up for permissions issue fix, making the fix work in more environments
49.0
==========
* Translation updates
* Fix build failures when built without plymouth support
* Fix permissions issue on the GDM work dir (/var/lib/gdm) that broke settings
persistence
49.rc
==========
* Translation updates
* Fixed a bug in PAM config files, introduced by transition to dynamic users
* Added logic to retry preferred display server (usually Wayland) before falling
back (usually to X11)
* Fixed a bug where Plymouth keeps running if not display is plugged into the
system. This would prevent bootup from completing and would prevent the user
from logging in on a serial console
* Fixed GDM's session file loading logic to search directories in correct
precedence order
* Fix simpledrm device detection to match the kernel's new device naming scheme
* Re-enabled X11 support by default. We found it difficult to cleanly separate
GDM's ability to launch modern X11 sessions (which we intended to keep enabled
in GNOME 49) from the rest of GDM's X11 integration (which we intended to
disable but leave intact for GNOME 49). We still plan to remove GDM's full
X11 integration in a future version, and leave only the ability to launch
modern X11 sessions.
* Worked around a regression introduced by the switch to dynamic users, where
the login screen no longer persists any settings
49.beta
==========
* Translation updates
* Switch to using dynamic users for greeter sessions. This enables systemd-based
session management on the greeter, removes GDM's dependency on dbus-daemon,
and frees us to drop gnome-session's builtin service manager.
* Adapt to changes in gnome-session 49, which dropped the builtin service manager
code and now exclusively relies on systemd for session startup. This means that
GDM now depends on gnome-session 49.
49.alpha.1
==========
* Drop dependency on Wacom g-s-d plugin [Jordan; !301]
* Drop leftover udev rules [Alessandro; !299]
* Fix warning when building without libxdmcp support [Florian; !300]
* Add polkit rules to allow access to smartcards [David, !287]
* Misc [Joan; !298]
Contributors:
Alessandro Astone, David Härdeman, Joan Torres López,
Florian Müllner, Jordan Petridis
Translators:
Takayuki Kusano [ja], Aefgh Threenine [th]
==================
Version 49.alpha.0
==================
- meson: Change x11-support default value to false
- Disable Xorg session by default
- udev: Drop disable_wayland overrides
- Fix build with gcc 15
- Translation updates
Contributors:
Zbigniew Jędrzejewski-Szmek, Florian Müllner, Jordan Petridis,
Ray Strode, Joan Torres, Adrian Vovk, Alynx Zhou
Translators:
Antonio Marin [ro], Baxrom Raxmatov [uz], Cheng-Chia Tseng [zh_TW],
Andi Chandler [en_GB], Peter Mráz [sk], Rūdolfs Mazurs [lv]
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE metrics currently report CVE-2025-34468 as open.
CPE is <=4.3.5, while recipe version is 4.3.5a which is a higher
version, however by default cve-check only compares numbers.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use the latest commit from the 1.4 branch; the last 1.4 release was 3
months ago so it contains important fixes.
- The contents of /usr/share/ are slightly different, so change the path
slightly.
- The new patch fixes the .pc file generation (it also ensures that
there are no references to absolute paths in the .pc file which would
need to be removed again).
- PubSub information model is now enabled by default, add a new option
to disable it (disabling only pubsub isn't enough).
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Motivation for this is to get vapi files created which are required to
e.g. build the budgie desktop
-Add PACKAGECONFIG for x11 and build depending on DISTRO_FEATURES
-Build vala by default
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes:
ERROR: nodejs-22.21.1-r0 do_patch: Applying patch '0001-deps-disable-io_uring-support-in-libuv.patch' on target directory '/build/tmp/work/core2-32-poky-linux/nodejs/22.21.1/sources/node-v22.21.1'
CmdError('quilt --quiltrc /build/tmp/work/core2-32-poky-linux/nodejs/22.21.1/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch 0001-deps-disable-io_uring-support-in-libuv.patch
can't find file to patch at input line 27
The sources which related to libuv as deps/uv/ are removed in prune_sources
when depends on libuv.
So postpone prune_sources execute at do_patch phase to fix the gap.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the December 2025 security release that the nodejs team released
January 13, 2026.
3 high severity issues.
4 medium severity issues.
1 low severity issue.
High priority fixes:
CVE-2025-55131
CVE-2025-55130
CVE-2025-59465
Medium priority fixes:
CVE-2025-59466
CVE-2025-59464
CVE-2026-21636 *
CVE-2026-21637
Low priority fixes:
CVE-2025-55132
* note that this medium priority CVE only effects Nodejs v25.
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Changelog: https://github.com/nodejs/node/releases/tag/v22.22.0
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==============
- fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation
- fix: Prevent NameError when accessing _DISTUTILS_PATCH during file overwrite
- Upgrade pip and fix 3.15 picking old wheel
- fix: wrong path on migrated venv
- test_too_many_open_files: assert on errno.EMFILE instead of strerror
- fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146
- fix: resolve EncodingWarning in tox upgrade environment
- Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1
- Add support for PEP 440 version specifiers in the --python flag.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Add wait_for_activation parameter to pystemd.run to wait only for service activation without blocking until completion
- Document cwd and wait_for_activation parameters in pystemd.run
- Drop support for Python 3.6-3.10, now requires Python 3.11+
- Add unit property and unit_name to TransientUnitProcess for easy access to the running unit
- Change development tooling to use uv for package management
- Change lint/format stack from black/mypy to ruff/pyrefly
- Add a lot of typing
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Make sure tests/__init__.py is included in sdist
- Fix compatibility with pytest
- Explicitly tag Python 3.14 compatibility
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
AISTracker.update now accepts raw sentences as well as decoded messages
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
fix regression where the 'plugin' was not passed to pppd
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
